Microsoft released the May 2020 Security Updates that includes 111 unique vulnerability fixes, 16 of those rated critical.
In all, the security updates address vulnerabilities in the following Microsoft products:
- .NET Core
- .NET Framework
- ChakraCore
- Internet Explorer
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Edge (EdgeHTML-based)
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Windows
- Power BI
- Visual Studio
- Windows Defender.
Microsoft has provided patches for each of the vulnerabilities and summarized in the May 2020 Security Updates Release Notes.
Critical Microsoft Edge Elevation of Privilege Vulnerability
One of the patches addresses a Critical Microsoft Edge elevation of privilege vulnerability CVE-2020-1056.
“An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain,” Microsoft stated in the advisory.
The issue affects multiple versions of Windows 10, Windows Server 2016 and Windows Server 2019.
Remote Code Execution vulnerabilities
Of the remaining Critical patches, all 15 of them address remote code execution (RCE) vulnerabilities.
Microsoft has released patches for four SharePoint RCE vulnerabilities (CVE-2020-1023, CVE-2020-1024, CVE-2020-1069 and CVE-2020-1102).
An attacker could potentially exploit three of the four SharePoint RCEs to run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.
Microsoft added the issue relates to when the software fails to check the source markup of an application package.
In addition, Microsoft patched a Critical Internet Explorer memory corruption vulnerability CVE-2020-1062.
“A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” Microsoft warned.
Administrators should also take note that Microsoft confirmed exploitation of the IE vulnerability CVE-2020-1062 is “more likely.”
Additional RCE vulnerabilities impact:
- MSHTML engine (CVE-2020-1064)
- ChakraCore (CVE-2020-1037 and CVE-2020-1065)
- Media Foundation (CVE-2020-1028, CVE-2020-1126 and CVE-2020-1136)
- VBScript (CVE-2020-1093)
- Color Management Module (CVE-2020-1117) and
- Graphics Components (CVE-2020-1153).
Administrators should make these RCE vulnerabilities high priority to patch.
OpenSSL and Autodesk FBX vulnerabilities
In addition to the May patches, Microsoft also released security advisories late last month for an OpenSSL remote denial of service vulnerability and Autodesk FBX library RCE vulnerability.
According to Microsoft, the RCE vulnerability exists in the Autodesk FBX library that is integrated in Microsoft Office 2019 and Office 365 ProPlus (32 and 64 bit versions).
Finally, Microsoft fixed 95 vulnerabilities rated Important, 6 rated Moderate and 6 rated Low severity.
Readers can also check out more vulnerability and patch details in Microsoft’s Security Update Guide.